From 5973e272516b141a9c3178910b41f72bcb2bc40e Mon Sep 17 00:00:00 2001
From: Daniel Gerhardt <code@dgerhardt.net>
Date: Mon, 5 Mar 2018 15:13:14 +0100
Subject: [PATCH] Reenable HTTP session management for /v2

---
 .../de/thm/arsnova/config/SecurityConfig.java | 61 +++++++++++++------
 1 file changed, 43 insertions(+), 18 deletions(-)

diff --git a/src/main/java/de/thm/arsnova/config/SecurityConfig.java b/src/main/java/de/thm/arsnova/config/SecurityConfig.java
index 63a018f2e..5f7104582 100644
--- a/src/main/java/de/thm/arsnova/config/SecurityConfig.java
+++ b/src/main/java/de/thm/arsnova/config/SecurityConfig.java
@@ -42,6 +42,7 @@ import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
 import org.springframework.context.support.PropertySourcesPlaceholderConfigurer;
+import org.springframework.core.annotation.Order;
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.core.io.FileSystemResource;
 import org.springframework.ldap.core.support.LdapContextSource;
@@ -127,29 +128,53 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
 	@Value("${security.google.key}") private String googleKey;
 	@Value("${security.google.secret}") private String googleSecret;
 
-	@PostConstruct
-	private void init() {
-		if ("".equals(apiPath)) {
-			apiPath = servletContext.getContextPath();
+	public class HttpSecurityConfig extends WebSecurityConfigurerAdapter {
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+			http.exceptionHandling().authenticationEntryPoint(restAuthenticationEntryPoint());
+			http.csrf().disable();
+			http.headers().addHeaderWriter(new HstsHeaderWriter(false));
+
+			http.addFilterBefore(jwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
+			if (casEnabled) {
+				http.addFilter(casAuthenticationFilter());
+				http.addFilter(casLogoutFilter());
+			}
+
+			if (facebookEnabled || googleEnabled || twitterEnabled) {
+				http.addFilterAfter(oauthCallbackFilter(), CasAuthenticationFilter.class);
+			}
 		}
 	}
 
-	@Override
-	protected void configure(HttpSecurity http) throws Exception {
-		http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
-		http.exceptionHandling().authenticationEntryPoint(restAuthenticationEntryPoint());
-		http.csrf().disable();
-		http.headers()
-			.addHeaderWriter(new HstsHeaderWriter(false));
-
-		http.addFilterBefore(jwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
-		if (casEnabled) {
-			http.addFilter(casAuthenticationFilter());
-			http.addFilter(casLogoutFilter());
+	@Configuration
+	@Order(2)
+	@Profile("!test")
+	public class StatelessHttpSecurityConfig extends HttpSecurityConfig {
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+			super.configure(http);
+			http.antMatcher("/**");
+			http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
 		}
+	}
+
+	@Configuration
+	@Order(1)
+	@Profile("!test")
+	public class StatefulHttpSecurityConfig extends HttpSecurityConfig {
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+			super.configure(http);
+			http.antMatcher("/v2/**");
+			http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED);
+		}
+	}
 
-		if (facebookEnabled || googleEnabled || twitterEnabled) {
-			http.addFilterAfter(oauthCallbackFilter(), CasAuthenticationFilter.class);
+	@PostConstruct
+	private void init() {
+		if ("".equals(apiPath)) {
+			apiPath = servletContext.getContextPath();
 		}
 	}
 
-- 
GitLab